Header
Base64URL encoded
Contains the token type (JWT) and signing algorithm (e.g. HS256, RS256).
Payload
Base64URL encoded
Contains claims: sub, iat, exp, user roles, and custom data.
Signature
HMAC / RSA signed
Ensures integrity. Cannot be forged without the secret key.
The Header and Payload are NOT encrypted — they are simply Base64URL encoded. Anyone holding the token can read them. Only the Signature guarantees authenticity.
Why JWTs are Stateless: The Role of the exp Claim
Session Management in Stateless Architectures
Unlike traditional session-based authentication where a server stores session IDs in a database, JWTs are stateless. All information, including the user's identity and permissions, is stored inside the token itself. The 'exp' (Expiration) claim is the single most important safety mechanism in this architecture; it ensures that even if a token is stolen, it has a finite lifespan and cannot be used indefinitely.
Local Auditing for Maximum Privacy
Because tokens often grant full access to user accounts, pasting them into unknown online tools is a massive security risk. DevFormat's JWT Expiration checker performs 100% of its calculations inside your browser's V8 engine. Your token never touches our servers, ensuring your 'active' sessions remain completely private and under your control.